Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Loader. Show all posts

Online Hackers Target Microsoft Teams to Propagate DarkGate Malware

 

Microsoft Teams conversations are being abused by a new phishing attempt to distribute malicious attachments that install the DarkGate Loader malware.

When two external Office 365 accounts were found to be hijacked and were detected sending Microsoft Teams phishing mails to other organisations, the campaign got underway in late August 2023.

These accounts were used as a ruse to get other Microsoft Teams users to download and open a ZIP file called "Changes to the vacation schedule."

When a user clicks on an attachment, a ZIP file from a SharePoint URL that contains an LNK file resembling a PDF document is downloaded. The script first verifies that Sophos antivirus software is present on the target device; if it isn't, it launches the shellcode and deobfuscates additional code. 

The Windows executable for DarkGate is built by the shellcode using a method known as "stacked strings" and loaded into memory. The malicious attachments are sent to other Teams organisations by the campaign, as observed by Truesec and Deutsche Telekom CERT, using hacked Microsoft Teams accounts. 

In a June 2023 report, Jumpsec cited an example of Microsoft Teams phishing. Jumpsec found a means to deliver malicious messages to other organisations via phishing and social engineering, which is comparable to this attack. 

Microsoft chose not to address the risk despite the stir this finding created. It is advised that administrators use secure configurations instead, such as narrow-scoped allow-lists and disabling external access, if communication with external tenants is not required.

The chance of this Microsoft Teams phishing attack being utilised in the wild was increased by a tool that a Red Teamer provided in July 2023. The attack chain of the recently observed campaign does not appear to use this strategy, though. Since its release in 2017, DarkGate has been employed cautiously by a select group of online criminals against specific targets. 

hVNC for remote access, cryptocurrency mining, reverse shell, keylogging, clipboard theft, and information theft (files, browser data) are just a few of the harmful behaviours supported by this powerful malware. 

According to a ZeroFox report from June 2023, ten people were offered access to DarkGate for the ludicrous price of $100,000 per year by a person claiming to be the original author of the software. 

In the following months, there have been numerous reports of DarkGate distribution ramping up and employing a variety of vectors, including phishing and malvertising. DarkGate is a growing threat that needs to be actively monitored even though it may not yet be a widespread threat due to its increased targeting and use of various infection channels.

Chinese Hackers Disseminating SMS Bomber Tool with Hidden Malware

 

A threat cluster linked to the Tropic Trooper hacking group has been identified employing previously undocumented malware developed in Nim language to attack targets as part of a newly revealed operation. 

The new loader, codenamed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' malware that is most likely illegally circulated through the Chinese-speaking web," according to a report by Israeli cybersecurity firm Check Point. "Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said. 

"Therefore the entire bundle works as a trojanized binary." SMS Bomber, as the name implies, allows the user to enter a phone number (not their own) in order to flood the victim's device with messages, perhaps rendering it useless in a denial-of-service (DoS) attack. 

The fact that the binary functions as both an SMS Bomber and a backdoor show that the assaults are not just directed at individuals who use the tool — a "somewhat unorthodox target" — but are also highly targeted. 

Tropic Trooper, also known as Earth Centaur, KeyBoy, and Pirate Panda, has a history of attacking targets in Taiwan, Hong Kong, and the Philippines, especially in the government, healthcare, transportation, and high-tech industries. 

Trend Micro last year referred to the Chinese-speaking collective as particularly clever and well-equipped, highlighting the group's capacity to develop its TTPs to stay under the radar and rely on a wide range of proprietary tools to compromise its targets. 

Check Point's most recent attack chain begins with the tainted SMS Bomber tool, the Nimbda loader, which runs an embedded executable, in this case, the legal SMS bomber payload, while simultaneously injecting a second piece of shellcode into a notepad.exe process. This initiates a three-tier infection process, which includes downloading a next-stage malware from an obfuscated IP address given in a markdown file ("EULA.md") published in an attacker-controlled GitHub or Gitee repository. The retrieved binary is an improved version of the 

Yahoyah trojan, is designed to gather data about local wireless networks in the victim machine's proximity and other system metadata and send it to a command-and-control (C2) server. Yahoyah, for its role, serves as a conduit for the final-stage malware, which is downloaded from the C2 server in the form of an image. The steganographically encoded payload is a backdoor known as TClient, which the group has used in past attacks. 

The researchers concluded, "The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind."

"Usually, when third-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an 'SMS Bomber' tool for this purpose is unsettling, and tells a whole story the moment one dares to extrapolate a motive and an intended victim."